Unwanted multiple backslashes after user input apostrophe

A place to discuss the implementation and style of computer programs.

Moderators: phlip, Moderators General, Prelates

Posts: 1
Joined: Wed Nov 25, 2015 11:44 pm UTC

Unwanted multiple backslashes after user input apostrophe

Postby dougmiller » Wed Nov 25, 2015 11:48 pm UTC

I have this in Wordpress:

Code: Select all

<h3>Welcome, [insert_php]session_start();
echo $_SESSION['your_org']  = stripslashes($_GET ['your_org'] . " - "); echo $_SESSION['choice']  = stripslashes($_GET

[/insert_php] - <b>Your Design Ideas</b></h3>

If a user enters an apostrophe, eg. Bob's as input in 'your_org' variable, I get this as output:

eg. Bob\'s

host php version 5.5

magic quotes turned off

Last edited by phlip on Thu Nov 26, 2015 3:52 am UTC, edited 1 time in total.
Reason: Added [code] tags

User avatar
My HERO!!!
Posts: 5334
Joined: Tue Feb 20, 2007 12:49 am UTC
Location: The Googleplex

Re: Unwanted multiple backslashes after user input apostroph

Postby Xanthir » Fri Nov 27, 2015 5:35 pm UTC

If you're getting slashes, then either (a) magic_quotes is actually on, or (b) some other part of your processing system is terrible at escaping.

If magic_quotes is off, you don't need stripslashes(), as there won't be any bad slashes in the input in the first place. Remove those and see if you're getting *even more* slashes or something, or if it's unchanged. If it's unchanged, then it's part of the downstream system.

Also, you need to be using htmlspecialchars() on every string echo'd to the page that came from the user or environment. Right now a url like `http://example.com/?your_org=<script>alert(1)</script>` will run the script.
(defun fibs (n &optional (a 1) (b 1)) (take n (unfold '+ a b)))

Return to “Coding”

Who is online

Users browsing this forum: No registered users and 7 guests